Merge "[STRIMZI] Solve Security Policy violations"

[oom.git] / kubernetes / common / mariadb-galera / values.yaml

diff --git a/kubernetes/common/mariadb-galera/values.yaml b/kubernetes/common/mariadb-galera/values.yaml
index be7ad8e..faab7af 100644 (file)
--- a/kubernetes/common/mariadb-galera/values.yaml
+++ b/kubernetes/common/mariadb-galera/values.yaml
@@ -56,16 +56,16 @@ secrets:
 
 mariadbOperator:
   image: mariadb
-  appVersion: 11.1.2
+  appVersion: 11.2.2
   persistence:
     #storageClassName: default
     size: 3Gi
   galera:
     enabled: true
-    agentImage: mariadb-operator/agent
-    agentVersion: v0.0.3
-    initImage: mariadb-operator/init
-    initVersion: v0.0.6
+    agentImage: mariadb-operator/mariadb-operator
+    agentVersion: v0.0.28
+    initImage: mariadb-operator/mariadb-operator
+    initVersion: v0.0.28
 
 ## String to partially override common.names.fullname template (will maintain the release name)
 ##
@@ -99,7 +99,7 @@ podAnnotations:
   #  sidecar.istio.io/inject: "false"
   traffic.sidecar.istio.io/excludeInboundPorts: "4444,4567,4568"
   traffic.sidecar.istio.io/includeInboundPorts: '*'
-  traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568"
+  traffic.sidecar.istio.io/excludeOutboundPorts: "4444,4567,4568,443"
 
 mariadbOpConfiguration: |-
   [mysqld]
@@ -217,10 +217,13 @@ serviceAccount:
 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
 ##
 securityContext:
-  enabled: true
   user_id: 10001
   group_id: 10001
 
+# Old Bitnami Chart does not work without Filesystem access
+containerSecurityContext:
+  readOnlyFileSystem: false
+
 ## Database credentials for root (admin) user
 ##
 rootUser:
@@ -329,8 +332,8 @@ backup:
 
 readinessCheck:
   wait_for:
-    apps:
-      - '{{ include "common.name" . }}'
+    services:
+      - '{{ include "common.servicename" . }}'
 
 ## TLS configuration
 ##
@@ -592,18 +595,18 @@ flavor: small
 resources:
   small:
     limits:
-      cpu: '1'
-      memory: 4Gi
+      cpu: "1"
+      memory: "4Gi"
     requests:
-      cpu: 500m
-      memory: 2Gi
+      cpu: "500m"
+      memory: "2Gi"
   large:
     limits:
-      cpu: '2'
-      memory: 6Gi
+      cpu: "2"
+      memory: "6Gi"
     requests:
-      cpu: '1'
-      memory: 3Gi
+      cpu: "1"
+      memory: "3Gi"
   unlimited: {}
 
 ## MariaDB Galera containers' liveness and readiness probes
@@ -659,6 +662,19 @@ metrics:
   ##   - --collect.binlog_size
   ##
   extraFlags: []
+  securityContext:
+    readOnlyRootFilesystem: true
+    privileged: false
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+        - CAP_NET_RAW
+    runAsGroup: 10001
+    runAsNonRoot: true
+    runAsUser: 10001
+    seccompProfile:
+      type: RuntimeDefault
   ## MySQL Prometheus exporter containers' resource requests and limits
   ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
   ##
@@ -668,11 +684,11 @@ metrics:
     # resources, such as Minikube. If you do want to specify resources, uncomment the following
     # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
     limits:
-      cpu: 0.5
-      memory: 256Mi
+      cpu: "0.5"
+      memory: "200Mi"
     requests:
-      cpu: 0.5
-      memory: 256Mi
+      cpu: "0.5"
+      memory: "200Mi"
   ## MariaDB Galera metrics container's liveness and readiness probes
   ## ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
   ##